What's New in the Latest Versions?

Version 1.0.32

• Anti-Malware: security fix (CVE-2023-20032).
• Bugfixes.

Version 0.0.822

• Debian 11 support.
• Improved memory consumption.
• Bugfixes.

Version 0.0.763

• Anti-Malware: improved on-access scanner stability.

Version 0.0.757

• Anti-Malware: improved on-access scanning performance.
• Behavioral guard: engine enhancements.
• Bugfixes.

Version 0.0.682

• Anti-Malware support for the following SUSE distributions:
  • SUSE Linux enterprise server (SLES) 12 SP5.
  • SUSE Linux enterprise server (SLES) 15 SP3.
  • OpenSUSE 15.3.
  • OpenSUSE 42.3.

Version 0.0.654

• Remote command push operation support.
• EDR engine enhancements.

Version 0.0.625

• RHEL 8.4 support.
• CentOS 8.4 support.
• Oracle Linux 8.4 support.
• Bug fixes.

Version 0.0.564

• Performance enhancements.
  
• Bug fixes.

Version 0.0.532

• Behavioral Guard engine for Linux.
• Anti-Malware performance enhancements.
• Anti Malware process exclusion support (by process name).
• Amazon Linux 2 OS support. 

Solution Brief 

Harmony Endpoint for Linux protects Linux Endpoint Machines from malware and allows threat hunting EDR capabilities. The solution is centrally managed and can be used as a Management-As-A-Service or deployed on a local on-premises server.

Note: Starting from R81, Harmony Endpoint for Linux is supported with EPS On-Prem or EPS Cloud Management. To enable Harmony Endpoint for Linux, you must enable the Linux installation package flag. To enable, see sk177250.

Key threat prevention technologies

1. Anti-Malware

• Harmony Endpoint Linux Anti-Malware engine detects trojans, viruses, malware, and other malicious threats
• Implemented as a multi-threaded flexible scanner daemon
• Managed centrally via a web-console and also supports Command Line Utilities for on-demand file/folder scans, detection lists and file restorations

• Automatic signature updates
• Smart version updates - always up to date

2. Endpoint Detection and Response (EDR) / Threat-Hunting

• Collects all Linux raw events whether malicious, suspicious or benign for full visibility
• Allows proactively searching for cyber threats that made it through the first line of defense and to the Linux Servers
• Easy investigation capabilities, such as predefined queries to find suspicious activities

• Process - start / stop
• Files - create / delete / rename / open
• Network - local connections, ports, DNS

3. Behavioral Guard

• Dynamic analysis of malwares executed on the endpoint based on the behavior manners of many types attacks such as ransomwares, cryptominers and trojans
• Large set of constantly updated signatures to detect, prevent and remediate most modern attacks
• Managed centrally via the web management

• Automatic signature updates based on the latest intelligence, constantly adopted to the latest attacks

Documentation

See the Harmony Endpoint Administration Guide > Chapter "Harmony Endpoint for Linux"

Supported Linux Versions

Distribution	OS Version
Ubuntu	16.04 18.04 20.04
Debian	9.12 - 11.5
RHEL	7.8 - 8.7
CentOS	7.8 - 8.5
Oracle Linux	7.9 - 8.4
Amazon Linux	2
SUSE Linux enterprise server (SLES)*	12 SP5, 15 SP3
OpenSUSE*	15.3, 42.3

* Only anti-malware blade is supported

Prerequisites

URLs and domains that should be whitelisted:

• https://secureupdates.checkpoint.com/sbalinux
• https://s3.amazonaws.com/download.draios.com
• https://gwevents.checkpoint.com/gwstats/services/antimalware/1_0_0/log
• Access to each distribution standard repositories - url is not constant, mirror is chosen based on latency
• for RHEL/CentOS also need access to EPEL (extra packages for enterprise Linux) repository**
• if working with EP MaaS - please allow connection for Management server:
  https://*.epmgmt.checkpoint.com.
  Customers can use precise URL containing tenant name in FW rules
• Anti Malware signature update URL:
  http(s)://cplinuxam.checkpoint.com
  Signatures source can be configured in AM policy
• Threat Hunting URLs:
• https://dev-cloudinfra-gw.kube1.iaas.checkpoint.com/auth/external
• https://us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net/stg-gcp-contractprovider
• https://europe-west1-datatube-stg-244010.cloudfunctions.net

Known Limitations

Topic	Description
AntiMalware On-Access	AntiMalware is triggered on-access only for /home folder
AntiMalware On-Access (build 0.0.822 or newer)	AntiMalware is triggered on-access only for /home and /root  folders
AntiMalware On-Access (build 0.0.763 or newer)	Audit subsystem must not be controlled by 3rd party process
AntiMalware On-Access (build 0.0.763 or newer)	Audit subsystem must not be immutable. Machine restart is needed to switch audit from immutable to enabled state.
AntiMalware Root-User	Files accessed by root users (sudo) will not be scanned
AntiMalware Exclusions	Supported path and process exclusions only
AntiMalware Signatures update	Supported by a direct internet connection from the Linux client. Management server as a proxy is not supported.
AntiMalware RAR/Zip	RAR/Zip archives are not supported.
ThreatHunting Exclusions	Supported process path exclusions only by path.
Supported environments 32/64 bit	Product supports 64 bit OS only and doesn't support 32 bit.
Pending kernel updates	If an OS kernel update is pending for installation, the Linux client installation may fail.
Linux Secure Boot is not supported	Behavioral Guard and Threat Hunting engines are not supported when Linux SecureBoot is enabled.
Compatibility with other AM providers	Any other (none Check Point) Anti Malware engines should be removed from the machine before installing Linux agent
OS upgrade	OS upgrade is not supported - client will need to re-install the Linux agent after OS upgrade
Push Operations	Only the following Push Operation are supported: 1. Forensics push operation: Add\restore file from Quarantine from 2. AM Push operations: restore file from quarantine 3. Remote command execution No support for other push operations
Machine Type	Linux machines will always shows as Desktop machine in management overview page.